Opening statement by Australian Information Commissioner and Privacy Commissioner

27 February 2019

The OAIC welcomes the introduction of the Consumer Data Right and supports initiatives which seek to give individuals greater choice and control over how their data is used.

As a data portability tool, the Consumer Data Right takes the existing right in the Privacy Act of individuals to access their data under Australian Privacy Principle 12 and extends it by facilitating a copy of a consumer’s data being provided to another service provider at the option of the consumer.

The OAIC acknowledges that the important policy objective behind the introduction of the Consumer Data Right is to ensure that individuals can use their data to enable the provision of new or improved services, to increase competition and to drive innovation. And under the Consumer Data Right, both individuals and notably businesses can make use of this right.

So accordingly, the draft legislation provides both the ACCC and the OAIC with distinct but complementary roles in co-regulating the CDR scheme. Once the scheme is operational, the OAIC’s primary role will be to regulate the privacy safeguards currently contained within the Bill and the Rules that relate to them, including by handling complaints from individual and small business consumers in relation to their consumer data.

The Bill gives the OAIC a range of advisory, educative and also regulatory functions in terms of investigative and enforcement options to handle complaints and otherwise investigate suspected privacy breaches. And the Bill also provides an advisory role in relation to the designation of new sectors, and the ACCC’s development of rules.

So the CDR is a specific data portability tool to be used in situations permitted by the legislative framework. And the framework aims to allow consumers to take advantage of the tool in a way that stimulates competition and innovation, while protecting personal information. And as the scheme is intended to facilitate and encourage individuals sharing their data with third parties, it will inevitably lead to increased personal information flows across the economy and between entities.

So a strong privacy and security framework to protect consumers’ information is therefore a necessary enabler for maintaining the integrity of, and the public confidence in, this scheme. It’s therefore appropriate for the Consumer Data Right to have more specific privacy requirements and obligations in place, as is proposed.

Information within the boundaries of the CDR system is regulated by the CDR-specific legislative framework, and information that is outside that system is regulated by the Australian Privacy Principles in the Privacy Act (where it applies).

While I consider there are sound reasons for creating a separate legislative framework for the handling of information within the Consumer Data Right scheme at this time ― for example, to allow more specific privacy obligations and security safeguards to promote it in the context of encouraging increased information flows, and also noting that businesses will also be able to exercise the right ― there do remain opportunities to strengthen the framework and the role of my Office specifically in relation to the Rules. And I’d like to specify those propositions now.

The Privacy Safeguards set out in the Bill are particularised through Rules made by the ACCC and at present the making of rules is discretionary under the Bill. I consider that the Bill should require the rule-maker to make rules in relation to those elements that are critical to ensuring a strong and effective privacy protection framework. As drafted, the legislation states that the rule-maker ‘may’ make rules.

In making the rules the ACCC’s role is a substantial one and is of central importance in ensuring appropriate privacy protections are in place. The ACCC therefore will therefore need to fully consider the privacy impacts of the rules it intends to make, and the OAIC and the ACCC are working well in close consultation and collaboration on these matters. And the Bill recognises that cooperation and contains a requirement for the ACCC to consult me about the making of the rules.

However, for abundant clarity, in recognition of the OAIC’s privacy expertise, I recommend that the Bill be amended to require the ACCC to have regard to the Commissioner’s submissions, and to further require the Minister to be satisfied that any privacy concerns raised by me had been addressed before consenting to the making of the rules. And this I consider would provide additional assurance to the community.

On another issue, I am aware of the concerns of some stakeholders about the potential for entities to require consumers to provide them with ‘CDR data’ outside of the system, and resultant concerns regarding how that information may be protected in those circumstances:

Creating a tool like the Consumer Data Right to facilitate access to data in a usable form could encourage unscrupulous entities to leverage that tool in an unintended way and avoid the specific regulatory restrictions put in place, it’s been contended. I’d also note that existing Privacy Act requirements would apply to entities to the extent they are currently regulated under the Privacy Act regime in those circumstances

And there’s also a clear role for regulators in undertaking education and awareness to help mitigate these risks. That’s a matter that the OAIC is committed to as part of our education and awareness role in implementing the CDR.

However, I also suggest to the Committee that looking more broadly, both domestic and international developments indicate I think that there is an opportunity to consider the case for enhancing privacy protections generally in Australia, alongside this initiative, to ensure that personal information is protected while facilitating information flows.